by Jeff Bryner
Like most, I recently read the story of the EMT who posted a grisly picture to Facebook via his mobile phone. This got me thinking about social network forensics. I just happened to have joined Facebook (am I the last one?) and being of forensic mind... this post.
The issue that brings forensics into the case? The claim is that his post is by accident and was unintentional.
Now Facebook has a long history of privacy misunderstandings, and being a brand new user I can attest that it's nearly impossible at first glance to determine the privacy of the items you post. Is my looking at a potential 'friend' going to trigger an alert to them? If I look at their photos to see if I remember them does that alert my entire universe? What the heck is a poke?
Here's what I discovered about the current process to post a photo on Facebook using my own Symbian phone.
First you must register your mobile phone number on Facebook, so subsequent messages from you show up on your account. You do this by sending a MMS message to firstname.lastname@example.org, and receiving a confirmation text message from Facebook (32665/fbook on the keypad). This results in a status change on your Facebook account "Jeff activated Facebook Mobile."
After registering, sending a picture to email@example.com via a MMS message creates a 'mobile uploads' photo album with a time-stamp. The subject of the MMS message becomes the picture caption and the picture is added to the album.
Normally, new albums you create are automatically shared to everyone. The auto-created 'mobile uploads' photo album however, wasn't automatically shared to anyone. Even friends can't see the album, much less any pictures within it. To share you either need to post it on your 'wall' or change the privacy settings of the album via the path: Facebook->Profile->Photos->Album Privacy.
So given this process what would we look for in forensics to help determine if this was indeed an accident?
- Was he registered to use his mobile account on Facebook prior to the date in question?
- Was his 'mobile uploads' album shared prior to this event?
- Are there other pictures on his mobile?
- Was there some other event happening that initiated the send?
- Is the process of uploading pictures using a Symbian as I've done different than using a Samsung, or iPhone, or Blackberry, or Windows Mobile?
- Is the process for today's mobile pictures the same as when this event occurred?
If not, then he would have had to go to extraordinary lengths to register, upload a picture and share it to the world.
If not, then again he would have had to explicitly share it. If it was shared prior to this event then any picture sent from his mobile would be public.
If not, then taking one is in itself a unique event. If there are other pictures on his mobile are the names similar? Could there be reasonable confusion about which photo is what?
It's not clear whether the photo was sent during the emergency response, or after. If it was sent during the response it would seem extraordinary to take the time out of your duties to send a photo. Then again, was there some other personal event occurring in his life that warranted a quick time-out to send a photo like a child's birthday earlier in the day, etc? If it was sent as a batch of photos during say a weekly upload to Facebook, then it may be part of his routine.
It would seem that to properly answer the claim of 'accident' a forensic analysis of the time line and the details of his personal technology in conjunction with a review of his routine on Facebook would be in order.
With the explosion of social networking sites is there a need for a new forensic framework? One not so much focused on recovering deleted files or operating system artifacts, but centering on:
- Determining the strength of relationships
- Analyzing the intent of actions given the pattern of use on a social networking site
- Determining the likelihood of observable events being related
- Uncovering past relationships
- Archiving site privacy settings/policies
- Forensic patterns of intra-social networking applications?
What do you think? Comments?
Jeff Bryner , GCFA Gold #137, also holds the CISSP and GCIH certifications, occasionally teaches for SANS and performs forensics, intrusion analysis, and security architecture work on a daily basis.